Skip to content

Commit

Permalink
feat: support pubkey secret creation for oci signature verification (#…
Browse files Browse the repository at this point in the history 
…240)

* feat: support pubkey secret creation

* feat: add support for .env files

* fix: update values to address linting issues

* feat: ensure pub key data is only added data key has suffix .pub

* chore: bump oci plugin to v0.0.8

* feat: update validationresults crd
  • Loading branch information
@ahmad-ibra
ahmad-ibra committed Mar 14, 2024
1 parent fc351f3 commit 0a77ed3
Show file tree
Hide file tree
Showing 8 changed files with 146 additions and 65 deletions.
5 changes: 4 additions & 1 deletion .gitignore
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@

# Binaries for programs and plugins
*.exe
*.exe~
Expand Down Expand Up @@ -27,3 +26,7 @@ Dockerfile.cross
*.swp
*.swo
*~

# misc
.DS_Store
.env
6 changes: 5 additions & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
ifneq (,$(wildcard ./.env))
include .env
export
endif

# Image URL to use all building/pushing image targets
IMG ?= quay.io/spectrocloud-labs/validator:latest
Expand Down Expand Up @@ -201,4 +205,4 @@ helm-package: generate manifests

.PHONY: frigate
frigate:
frigate gen chart/validator --no-deps -o markdown > chart/validator/README.md
frigate gen chart/validator --no-deps -o markdown > chart/validator/README.md
80 changes: 43 additions & 37 deletions chart/validator/README.md
View file

Large diffs are not rendered by default.

52 changes: 47 additions & 5 deletions chart/validator/crds/validation.spectrocloud.labs_validationresults.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,52 @@ spec:
description: ValidationResultStatus defines the observed state of ValidationResult
properties:
conditions:
items:
description: Condition defines an observation of a Cluster API resource
operational state.
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status
to another. This should be when the underlying condition changed.
If that is not known, then using the time when the API field
changed is acceptable.
format: date-time
type: string
message:
description: A human readable message indicating details about
the transition. This field may be empty.
type: string
reason:
description: The reason for the condition's last transition
in CamelCase. The specific API may choose whether or not this
field is considered a guaranteed API. This field may not be
empty.
type: string
severity:
description: Severity provides an explicit classification of
Reason code, so the users or machines can immediately understand
the current situation and act accordingly. The Severity field
MUST be set only when Status=False.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition in CamelCase or in foo.example.com/CamelCase.
Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important.
type: string
required:
- lastTransitionTime
- status
- type
type: object
type: array
state:
type: string
validationConditions:
items:
properties:
details:
Expand All @@ -87,7 +133,7 @@ spec:
type: string
status:
description: True if the validation rule succeeded, otherwise
False
False.
type: string
validationRule:
description: Unique, one-word description of the validation
Expand All @@ -104,10 +150,6 @@ spec:
- validationType
type: object
type: array
sinkState:
type: string
state:
type: string
required:
- state
type: object
Expand Down
10 changes: 10 additions & 0 deletions chart/validator/templates/plugin-secret-oci-auth.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{{- range .Values.pluginSecrets.oci.auth }}
apiVersion: v1
kind: Secret
metadata:
name: {{ required ".Values.pluginSecrets.oci.auth.secretName is required!" .secretName }}
stringData:
username: {{ required ".Values.pluginSecrets.oci.auth.username is required!" .username }}
password: {{ required ".Values.pluginSecrets.oci.auth.password is required!" .password }}
---
{{- end }}
13 changes: 13 additions & 0 deletions chart/validator/templates/plugin-secret-oci-pubkey.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{{- range .Values.pluginSecrets.oci.pubKeys }}
apiVersion: v1
kind: Secret
metadata:
name: {{ required ".Values.pluginSecrets.oci.pubKeys.secretName is required!" .secretName }}
data:
{{- range $key, $val := . }}
{{- if hasSuffix ".pub" $key }}
{{ $key }}: {{ $val | b64enc | quote }}
{{- end }}
{{- end }}
---
{{- end }}
10 changes: 0 additions & 10 deletions chart/validator/templates/plugin-secret-oci.yaml
View file

This file was deleted.

35 changes: 24 additions & 11 deletions chart/validator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -372,7 +372,7 @@ plugins:
- chart:
name: validator-plugin-oci
repository: "https://spectrocloud-labs.github.io/validator-plugin-oci"
version: v0.0.2
version: v0.0.8
values: |-
controllerManager:
kubeRbacProxy:
Expand Down Expand Up @@ -407,7 +407,7 @@ plugins:
- ALL
image:
repository: quay.io/spectrocloud-labs/validator-plugin-oci
tag: v0.0.2
tag: v0.0.8
resources:
limits:
cpu: 500m
Expand Down Expand Up @@ -477,12 +477,25 @@ pluginSecrets:
# vcenterServer: ""
# insecureSkipVerify: ""

# If installing the OCI plugin and validating against private registries, the below config is required unless the following applies:
# - The target cluster already contains secrets with the correct format for all private registries.
# If specifying your own secret, refer to chart/validator/templates/plugin-secret-oci.yaml for
# an example of the expected format and ensure that it exists in the same namespace as the Helm release.
#
oci: [] # Don't forget to delete these square brackets if you're specifying credentials here!
# - secretName: registry-creds # ensure this matches the secretName in the OciRegistryRule
# username: username # for ECR Registries, store the AWS_ACCESS_KEY_ID here
# password: pa$$w0rd # for ECR Registries, store the AWS_SECRET_ACCESS_KEY here
oci:
# If installing the OCI plugin and validating against private registries, the below config is required unless the following applies:
# - The target cluster already contains secrets with the correct format for all private registries.
# If specifying your own secret, refer to chart/validator/templates/plugin-secret-oci-auth.yaml for
# an example of the expected format and ensure that it exists in the same namespace as the Helm release.
#
auth: [] # Don't forget to delete these square brackets if you're specifying credentials here!
# - secretName: registry-creds # ensure this matches the credentials secretName in the OciRegistryRule
# username: username # for ECR Registries, store the AWS_ACCESS_KEY_ID here
# password: pa$$w0rd # for ECR Registries, store the AWS_SECRET_ACCESS_KEY here

# If installing the OCI plugin and enabling signature verification of artifacts, the below config is required unless the following applies:
# - The target cluster already contains secrets with the correct format for all public keys used for signing artifacts.
# If specifying your own secret, refer to chart/validator/templates/plugin-secret-oci-pubkey.yaml for
# an example of the expected format and ensure that it exists in the same namespace as the Helm release.
#
pubKeys: [] # Don't forget to delete these square brackets if you're specifying public keys here!
# - secretName: cosign-public-keys # ensure this matches the public key secretName in the OciRegistryRule
# key1.pub: | # multiple public keys can be added to your secret, ensure each key name ends in .pub
# -----BEGIN PUBLIC KEY-----
# <your public key content here>
# -----END PUBLIC KEY-----

0 comments on commit 0a77ed3

Please sign in to comment.